Skip to main content

Not for emergencies. Call 911 for medical emergencies or 811 for non-urgent health advice.

OntarioVirtual Pharmacist
Start a visit

Security

How we protect your health information.

Version 1.0 · published April 2026

Ontario Virtual Pharmacist takes patient privacy and information security seriously. This page summarizes the practical controls we have in place. For the legal framework governing how your personal health information is handled, see our Privacy policy (PHIPA).

Encryption

  • All traffic between your browser and our service runs over TLS 1.3. HTTP requests are upgraded to HTTPS automatically, and HSTS is enforced in production.
  • Patient health information is encrypted at rest in Canadian data centres using AES-256.
  • Uploaded photos (health card, condition photos) are stored via short-lived signed URLs — links expire after a few minutes and are not browseable.

Data residency

Personal health information is stored in Canadian data centres. Vendors that touch PHI are contractually required to keep that data in Canada or to provide equivalent safeguards under Ontario's Personal Health Information Protection Act (PHIPA).

Access controls

  • Patient records are visible only to the pharmacist assessing that visit and authorized staff at the participating dispensing pharmacy assigned to it.
  • Every record access is written to an immutable audit log retained for ten years.
  • The platform team does not access individual patient records outside of explicit support requests initiated by the patient.

Abuse protection

  • Per-IP rate limits on the intake and contact endpoints stop automated abuse.
  • Anti-replay nonces on intake submissions prove a real, recent page render — fully scripted submissions are rejected.
  • Honeypot fields silently drop bot traffic that fills hidden inputs.
  • All requests are served behind Vercel's edge network with DDoS protection.

Browser-side hardening

Every page sets X-Frame-Options: DENY (no clickjacking), X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and a Permissions-Policy that disables camera, microphone, geolocation, and FLoC.

Breach response

If a privacy or security breach occurs that affects patient health information, we notify affected patients and the Information and Privacy Commissioner of Ontario (IPC) without undue delay, as required by PHIPA.

Responsible disclosure

If you believe you've found a security issue, please tell us through our contact page with the topic "Privacy or data request". We acknowledge submissions within five business days and work in good faith with security researchers — we won't threaten legal action against anyone testing in good faith and giving us a reasonable window to fix issues before public disclosure.

Last reviewed

This statement was last reviewed in April 2026. We re-check the controls on every major release and at minimum once per year.